June 2022 - FreeIPA-users - Fedora Mailing-Lists

by Charles Hedrick

the error is The KDC certificate in cert.pem, privkey.pem is not valid: invalid for a KDC ________________________________ From: Charles Hedrick via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> Sent: Wednesday, June 15, 2022 3:39 PM To: freeipa-users(a)lists.fedorahosted.org <freeipa-users(a)lists.fedorahosted.org> Cc: Charles Hedrick <hedrick(a)rutgers.edu> Subject: [Freeipa-users] ipa-server-certinstall -k ipa-server-certinstall works fine for http and ldap. But I can't get the -k option to work. I've tried cert.pem and privkey.pem with and without chain.pem, as well as fullchain.pem and privkey.pem (fullchain has both the cert and the chain). The certs were issued by Internet2, which chains up to addtrust. kinit -n works fine if I install the pem files manually, so presumably my files are valid.

1 year, 3 months

1
0
0 / 0

ipa-server-certinstall -k

by Charles Hedrick

ipa-server-certinstall works fine for http and ldap. But I can't get the -k option to work. I've tried cert.pem and privkey.pem with and without chain.pem, as well as fullchain.pem and privkey.pem (fullchain has both the cert and the chain). The certs were issued by Internet2, which chains up to addtrust. kinit -n works fine if I install the pem files manually, so presumably my files are valid.

1 year, 3 months

1
0
0 / 0

FreeIPA 4.9.10

by Antonio Torres

1 year, 3 months

1
0
0 / 0

Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for requested realm

by rui liang

I did it, Date - the 2021-08-28 s for line in `getcert list | grep Request | cut -d "'" -f2`; do getcert resubmit -i $line; done Now the CA status is all CA_UNREACHABLE How do I deal with this? It's getting worse. Can you help me? Thank you very much I see no response, and it's being executed ipa-cacert-manage renew ipa-certupdate root@fs-hiido-kerberos-21-117-149:/var/lib/certmonger/requests# getcert list Number of certificates and requests being tracked: 8. Request ID '20190910112327': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=CA Audit,O=YYDEVOPS.COM expires: 2021-08-30 11:23:07 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190910112328': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=OCSP Subsystem,O=YYDEVOPS.COM expires: 2021-08-30 11:23:06 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190910112329': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=CA Subsystem,O=YYDEVOPS.COM expires: 2021-08-30 11:23:07 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190910112330': status: CA_UNREACHABLE ca-error: Internal error stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=Certificate Authority,O=YYDEVOPS.COM expires: 2039-09-10 11:23:06 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190910112331': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:8080/ca/ee/ca...: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=IPA RA,O=YYDEVOPS.COM expires: 2021-08-30 11:23:25 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190910112332': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:8443/ca/agen...: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com,O=YYDEVOPS.COM expires: 2021-08-30 11:23:06 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20190910112351': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for requested realm. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-YYDEVOPS-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com,O=YYDEVOPS.COM expires: 2023-08-14 11:24:24 UTC principal name: ldap/fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com(a)YYDEVOPS.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv YYDEVOPS-COM track: yes auto-renew: yes Request ID '20190910112410': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for requested realm. stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=YYDEVOPS.COM subject: CN=fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com,O=YYDEVOPS.COM expires: 2023-08-14 11:26:13 UTC principal name: HTTP/fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com(a)YYDEVOPS.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes

1 year, 3 months

2
6
0 / 0

Upgrading from EL7.9 to EL8

by Angus Clarke

Hello I am planning the upgrade of one of our FreeIPA deployments from EL7.9 Previously, we have been quite good at upgrading through OS point upgrades (7.3, 7.4, 7.5 etc) as this was the advice through that series of FreeIPA software. Upgrading our FreeIPAs from EL7.9 today will see me introduce an EL8 FreeIPA which will receive the freeipa software from the Appstream repository. At time of writing, that process will see me introducing a replica running ipa-server 4.9.8 to my existing FreeIPA nodes running ipa-server 4.6.8 Should I be concerned about more minor updates and find some way of upgrading through different ipa-server (and dependencies) releases from Appstream or do you think I should just run the procedure as described above? Thanks Angus

1 year, 3 months

1
0
0 / 0

IPA Update Problem

by Georg Seyerl

Hi IPA Team, after an IPA upgrade from version 4.9.6 to 4.9.8 I get the following error when I run ipa-server-upgrad manually: 2022-06-09T09:24:25Z DEBUG stderr= 2022-06-09T09:24:25Z DEBUG wait_for_open_ports: localhost [389] timeout 120 2022-06-09T09:24:25Z DEBUG waiting for port: 389 2022-06-09T09:24:25Z DEBUG Failed to connect to port 389 tcp on 127.0.0.1 2022-06-09T09:26:25Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manua lly. 2022-06-09T09:26:25Z DEBUG File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 2011, in upgrade upgrade_configuration() File "/usr/lib/python3.6/site-packages/ipaserver/install/server/upgrade.py", line 1632, in upgrade_configuration ds.start(ds.serverid) File "/usr/lib/python3.6/site-packages/ipaserver/install/dsinstance.py", line 643, in start instance_name, capture_output=capture_output, wait=wait File "/usr/lib/python3.6/site-packages/ipaserver/install/service.py", line 524, in start self.service.start(instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/redhat/services.py", line 138, in start instance_name, capture_output=capture_output, wait=wait) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 317, in start self.wait_for_open_ports(self.service_instance(instance_name)) File "/usr/lib/python3.6/site-packages/ipaplatform/base/services.py", line 286, in wait_for_open_ports self.api.env.startup_timeout) File "/usr/lib/python3.6/site-packages/ipapython/ipautil.py", line 1341, in wait_for_open_ports raise socket.timeout("Timeout exceeded") 2022-06-09T09:26:25Z DEBUG The ipa-server-upgrade command failed, exception: timeout: Timeout exceeded 2022-06-09T09:26:25Z ERROR Timeout exceeded 2022-06-09T09:26:25Z ERROR The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information A subset of the upgraded packages: Upgrade ipa-client-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.x86_64 @ol8_x86_64_appstream Upgraded ipa-client-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64 @@System Upgrade ipa-client-common-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch @ol8_x86_64_appstream Upgraded ipa-client-common-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch @@System Upgrade ipa-common-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch @ol8_x86_64_appstream Upgraded ipa-common-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch @@System Upgrade ipa-healthcheck-core-0.7-10.module+el8.6.0+20578+18b36d36.noarch @ol8_x86_64_appstream Upgraded ipa-healthcheck-core-0.7-6.module+el8.5.0+20379+1b4496cf.noarch @@System Upgrade ipa-selinux-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch @ol8_x86_64_appstream Upgraded ipa-selinux-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch @@System Upgrade ipa-server-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.x86_64 @ol8_x86_64_appstream Upgraded ipa-server-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64 @@System Upgrade ipa-server-common-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.noarch @ol8_x86_64_appstream Upgraded ipa-server-common-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.noarch @@System Upgrade ipa-server-trust-ad-4.9.8-7.0.1.module+el8.6.0+20654+19b76db2.x86_64 @ol8_x86_64_appstream Upgraded ipa-server-trust-ad-4.9.6-12.0.1.module+el8.5.0+20642+b228f286.x86_64 @@System We found the following error in the file /var/log/dirsrv/DOMAIN/errors [09/Jun/2022:11:30:45.658955068 +0200] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/fqdn-host@MYDOMAIN] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328228 (Cannot contact any KDC for requested realm) In comparison with other IPA Servers the entries in the ds.keytab file looks fine. Thanks G

1 year, 3 months

3
4
0 / 0

[SSSD] Announcing SSSD 2.7.2

by Pavel Březina

# SSSD 2.7.2 The SSSD team is announcing the release of version 2.7.2 of the System Security Services Daemon. The tarball can be downloaded from: https://github.com/SSSD/sssd/releases/tag/2.7.2 See the full release notes at: https://sssd.io/release-notes/sssd-2.7.2.html *This is a hot fix release* which fixes a serious regression that prevented IPA users to log in. This fix is already included in Fedora packages. ## Feedback Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users ## Highlights ### Important fixes * A serious regression introduced in `sssd-2.7.1` that prevented successful authentication of IPA users was fixed. ### Configuration changes * Default value of `pac_check` changed to `check_upn, check_upn_dns_info_ex` (for AD and IPA provider).

1 year, 3 months

1
0
0 / 0

Re: Welcome to the "FreeIPA-users" mailing list

by Sarawut Leelatwatanakul

Hi, I’d like to post this this forum. Thanks, Lee. > On 13 Jun BE 2565, at 14:21, freeipa-users-request(a)lists.fedorahosted.org wrote: > > Welcome to the "FreeIPA-users" mailing list! > > To post to this list, send your email to: > > freeipa-users(a)lists.fedorahosted.org > > You can make such adjustments via email by sending a message to: > > freeipa-users-request(a)lists.fedorahosted.org > > with the word 'help' in the subject or body (don't include the > quotes), and you will get back a message with instructions. You will > need your password to change your options, but for security purposes, > this email is not included here. If you have forgotten your password > you will need to click on the 'Forgot Password?' link on the login > page.

1 year, 3 months

1
0
0 / 0

ipa client install error never seen before

by Ranbir

Hi All, I'm running a Rocky IdM domain with six masters. I have a one way trust configured with the AD domain. I can look up users in AD from the trust agents and controllers. So far so good. I'm now doing a typical client enrollment, which is something I've done many, many times before. The client install completes, but the messages below get ouput during the install/config: Principal is not set when enrolling with OTP; using principal 'admin(a)idm.dope.tld' for 'getent passwd' Unable to find 'admin' user with 'getent passwd admin(a)idm.dope.tld'! Unable to reliably detect configuration. Check NSS setup manually. The end result is I can't lookup trusted users in AD or the ipa domain. /etc/nsswitch.conf is also not configured like it normally is. I ran the install in verbose mode, which didn't reveal anything obvious either. :/ I'm confused as to why it's even happening. I did a POC for everyone to prove freeipa will work for us and I didn't encounter any problems. Everything went as I expected it to. The one difference between the prod system I'm building now and the POC is that the trust for the POC ipa domain was with a different AD domain. I don't see how that could be affecting the install on this first client. Any tips/help would be appreciated. -- Ranbir

1 year, 3 months

2
4
0 / 0

FreeIPA and samba problems

by Mathias Homann

Hi all, I have successfully deployed a FreeIPA server in docker using the image from https://hub.docker.com/r/freeipa/freeipa-server/, and on the linux side everything works just fine - user logins, automount, using IPA as authentication source for AWX and portainer, you name it. Today I have joined my samba server to the ipa realm, and finally turned off nis - and that's where the *** hit the fan: samba isn't working anymore. If I run that samba as standalone I can't connect because it seems that samba (on opensuse) doesn't know how to get user details from sssd, so when I tred to connect I got this: [2022/06/07 17:49:25.744112, 0] ../../source3/passdb/lookup_sid.c: 1633(get_primary_group_sid) Failed to find a Unix account for lemmy So I made my way through https://www.freeipa.org/page/Howto/ Integrating_a_Samba_File_Server_With_IPA but that's not helping either. Now, when I try something like "smbclient -k -L smbserver" I get some weird "session setup failed: NT_STATUS_INVALID_PARAMETER" message on the commandline - but it works just fine when I run the same command against the actual ipa server. Right now I'm using the minimal smb.conf from that website. What am I missing? Cheers MH -- Mathias Homann Mathias.Homann(a)openSUSE.org Jabber (XMPP): lemmy(a)tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on liberachat and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102

1 year, 3 months

3
5
0 / 0

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users June 2022